Skip to main content

What is Syscall Invocation?

Once you have the correct SSN (System Service Number), you need to execute the actual syscall instruction to transition from user-mode to kernel-mode. The invocation method determines where the syscall instruction lives and how it’s executed. Different invocation methods have different detection profiles for AV/EDR products.

Why It Matters: RIP Visibility

When a syscall transitions to kernel-mode, the kernel can inspect the instruction pointer (RIP) that initiated the syscall. EDR drivers monitor this:
EDRs can flag syscalls originating from outside ntdll.dll as potential hook bypasses.

Available Invocation Methods

SysWhispers4 provides 4 different invocation techniques:

Embedded

Direct syscall in your code. Fastest. RIP in your PE.

Indirect

Jump to ntdll gadget. RIP in ntdll. Static gadget.

Randomized

Random gadget per call. RIP in ntdll. Maximum entropy.

Egg Hunt

No syscall on disk. Runtime patching. Zero static signature.

Method Comparison

Embedded = syscall instruction lives in your stub
Indirect = Jump to syscall;ret gadget in ntdll
Randomized = Pick random gadget from pool of 64
Egg Hunt = Replace runtime egg with syscall

Embedded: Direct Syscall

The syscall instruction is compiled directly into your generated stub:
Pros:
  • Simplest implementation
  • No ntdll dependency
  • Fastest execution
Cons:
  • syscall opcode (0F 05) visible in your binary on disk
  • RIP points to your PE at kernel entry — detectable by EDR
Use when: Quick testing, CTF challenges, or environments without kernel-mode EDR monitoring.

Indirect: ntdll Gadget

Your stub jumps to a pre-located syscall;ret gadget inside ntdll.dll:
At kernel entry, RIP = address inside ntdll — identical to a normal Windows API call. Pros:
  • RIP appears inside ntdll.dll (legitimate)
  • No syscall opcode in your binary on disk
  • Bypasses simple “syscall from non-ntdll” detection
Cons:
  • Static gadget address can be fingerprinted by EDR
  • Requires ntdll to remain mapped
Use when: Standard red team operations against commercial EDR.
Indirect invocation is the recommended default for production red team tools.

Randomized: Entropy per Call

Like Indirect, but selects a different random gadget from a pool of up to 64 on every syscall:
Pros:
  • RIP inside ntdll (legitimate)
  • Different gadget every call — defeats EDR whitelisting
  • Uses RDTSC for entropy (no API calls)
  • No syscall opcode in your binary
Cons:
  • Slightly slower than Indirect (RDTSC + array lookup)
  • More complex stub code
Use when: Evading advanced EDR that fingerprints specific syscall gadget addresses.
SysWhispers3’s randomized method had a bug where RDTSC clobbered rdx (second argument). SysWhispers4 correctly saves/restores rdx via r11.

Egg Hunt: No Syscall on Disk

Stubs contain a random 8-byte egg marker instead of syscall. At runtime, SW4_HatchEggs() scans your .text section and replaces eggs with 0F 05 90 90 90 90 90 90:
Initialization:
Pros:
  • Zero syscall opcodes in binary on disk
  • Defeats static signature scanning
  • Works with or without ntdll
Cons:
  • Requires .text section to be writable at runtime (VirtualProtect)
  • RIP still points to your PE (detectable by kernel EDR)
  • Slower initialization
Use when: Evading static YARA rules or disk-based signature scanners.

Choosing the Right Method

For Quick Testing

Fastest and simplest. Use in lab environments.

For Standard Red Team Operations

RIP inside ntdll. Recommended default.

Against Advanced EDR with Gadget Fingerprinting

Random gadget per call. Maximum runtime entropy.

To Evade Static Signature Scanning

No syscall opcode on disk. Runtime patching.

Maximum Stealth (Randomized + Stack Spoofing)

Combines randomized gadgets with synthetic call stack for maximum evasion.

Detection Landscape

¹ Syscall is in your code, not ntdll — different detection profile.
Kernel-mode ETW-Ti (Microsoft-Windows-Threat-Intelligence) monitors syscalls at the kernel level and logs them regardless of invocation method. No user-mode technique bypasses kernel telemetry without kernel access.

Learn More

Detailed Method Reference

Complete technical documentation and usage examples for all invocation methods.

Stack Spoofing

Synthetic call stack frames to evade stack-walking EDR analysis.

EDR Detection Vectors

Comprehensive analysis of what EDR products can and cannot detect.

ETW-Ti Limitations

Understanding kernel-mode telemetry that cannot be bypassed from user-mode.